From CRCs to resilient control systems: differentiating between reliability and security for the protection of cyber-physical systems

In this talk I will discuss the need to establish clear differences between reliability and security for protecting cyber-physical systems (CPS).

This is particularly important given the recent interest from researchers in exploring the vulnerability of a CPS when an attacker has partial control of the sensor or actuator signals, which has led to the proposal of several anomaly detection schemes for CPS by using data collected from physical sensors (as opposed to traditional network sensors). In the general setting, data obtained from normal behavior of the system is used to create a model and then any outlier is considered an anomaly and a potential failure or attack; however, this line of research is very similar to the fault-detection, and safety mechanisms that have been deployed in control systems for decades. In particular, the protection of control systems has traditionally been enforced by several safety mechanisms, which include bad data detection, protective relays, safety shutdowns, interlock systems, robust control, and fault-tolerant control; however, so far there has not been a systematic study that tries to identify how much these protection mechanisms can help against attacks (as opposed to failures or accidents), and how can they be broken by an attacker and potentially fixed by a system designer that incorporates attack models in the design of their system.

In this talk I describe how current protection mechanisms are analogous to how error correcting codes are used in communications: they protect against a vast majority of random faults and accidents; however they are not secure against attacks - the way cryptographic hash functions are. As a community we need to revisit protection mechanisms available from control theory and then analyze them from a security perspective, giving new guidelines on security metrics and new ways to design attack-resilient CPS. In addition, we also need to avoid falling into the trap of proposing security mechanisms that are evaluated using similar tools from reliability.